You try to make a remote desktop (RDP) connection to the server from the local client.

In this scenario, you receive the following error message:

An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.

How to verify that the CredSSP update is installed

Check the update history for the following updates, or check the version of TSpkg.dll.

Cause

This error occurs if you are trying to establish an insecure RDP connection, and the insecure RDP connection is blocked by an Encryption Oracle Remediation policy setting on the server or client. This setting defines how to build an RDP session by using CredSSP, and whether an insecure RDP is allowed.

See the following interoperability matrix for scenarios that are either vulnerable to this exploit or cause operational failures.

Server

Updated

Force updated clients

Mitigated

Vulnerable

Client

Updated

Allowed

Blocked2

Allowed

Allowed

Force updated clients

Blocked

Allowed

Allowed

Allowed

Mitigated

Blocked1

Allowed

Allowed

Allowed

Vulnerable

Allowed

Allowed

Allowed

Allowed

Examples

1 The client has the CredSSP update installed, and Encryption Oracle Remediation is set to Mitigated. This client will not RDP to a server that does not have the CredSSP update installed.

2 The server has the CredSSP update installed, and Encryption Oracle Remediation is set to Force updated clients. The server will block any RDP connection from clients that do not have the CredSSP update installed.

How to install this update by using Azure Serial console

Sign in to the Azure portal, select Virtual Machine, and then select the VM.

Scroll down to the Support + Troubleshooting section, and then click Serial console (Preview). The serial console requires Special Administrative Console (SAC) to be enabled within the Windows VM. If you do not see SAC> in the console (as shown in the following screen shot), go to the "How to install the update by using Remote PowerShell" section in this article.

Type cmd to start a channel that has a CMD instance.

Type ch-si 1to switch to the channel that is running the CMD instance. You receive the following output:

Press Enter, and then enter your login credentials that have administrative permission.

After you enter valid credentials, the CMD instance opens, and you will see the command at which you can start troubleshooting.

Set the vulnerability registry key to allow non-updated clients to connect to the VM.

Enable Serial Console for future and easier mitigation.

Restart the VM.

Workaround

Warning

After you change the following setting, an unsecure connection is allowed that will expose the remote server to attacks. Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

The most common scenario is that the client has the CredSSP update installed, and the Encryption Oracle Remediation policy setting does not allow an insecure RDP connection to a server that does not have the CredSSP update installed.

To work around this issue, follow these steps:

On the client has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane.

Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

If you cannot use gpedit.msc, you can make the same change by using the registry, as follows:

Run the following command to change the Encryption Oracle Remediation policy setting by using the registry:Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord